Ooops. There goes your Domain Name

March 12th, 2008

Ooops. There goes your Domain Name

by admin

More Bad news
I know you people in the mortgage and real estate industry are near the end of your rope but I must take a moment to impart more bad news. There is pending legislation that would jeopardize your domain name(s) and force you to publish your home address if you work from home or blog. Veiled as Anti-Phishing (hey who wants to be anti-anti-phishing as that would make you pro-phishing right?) it has some concerning sections for ALL domain owners.

On February 25, 2008 U.S. Senator Olympia Snowe introduced S. 2661, the “Anti-Phishing Consumer Protection Act of 2008” (APCPA). The bill was also cosponsored by Senators Bill Nelson (D-FL) and Ted Stevens (R-AK). It has been referred to the Senate Committee on Commerce, Science and Transportation.

This bill is being referred to as a “Snowe Job” by small companies, individuals, bloggers and domain name investors. Mr Stevens is already infamous for his understanding of the internet.

Reverse Domain Hijacking on Steroids?
While using a very friendly title Anti-Phishing Consumer Protection Act of 2008 -some are calling this bill the 2008 Reverse Domain Name Hijacking Act.

Private WHOIS Registration? Jail Time and Bankruptcy.
The bill also makes PRIVATE WHOIS registration of a domain name punishable by prison time and fines up to $6 million per domain name.

Read the bill for yourself and if you wish you can read my analysis below.

Upon reading the bill it is clearly written as three bills in one;
Phishing (section A)
Domain Names (section B)
and private WHOIS registration (section C).

While the reader might assume that sections regarding Domains (B) and private WHOIS (C) are relevant only in the case of suspected or proven Phishing attempts (section A), this is not the case. Each section stands alone and is unrelated to the other sections.

Section B
Section B would expand current legislation regarding trademark owners and create new legislation that could allow businesses, individuals and government organizations to lose their domain names via the confusingly similar language found in section B.

Section B would create a Pandora’s Box as any person, company, church or other entity that owns a domain name can be brought into court by any person, company, church or other entity that feels a domain name infringes on their trademark, brand, personal identity or business.
This would allow potential fines in the millions of dollars and jail terms for any person, business, church or government that owns a domain name considered confusingly similar. As an example the owner of the domain name Workout.net could bring legal action against the owner of the domain name Workout.com or the domain name Workout.biz even though the owner of Workout.net has no trademark or famous brand but the names could be construed as confusingly similar.

Trademark owners already have strong and highly effective remedies for infringement of their marks by domain names, as they can elect to pursue an arbitration action through the Uniform Dispute Resolution Process (UDRP) administered by the Internet Corporation for Assigned Names and Numbers (ICANN) or to sue in Federal Court under the Anti-Cybersquatting Prevention Act (ACPA). S. 2661 would give them a third option that is broader in scope, less balanced, and far more punitive than the ACPA. For example, both the UDRP and the ACPA require that the trademark owner establish that a domain registration was made in bad faith, but S. 2661 contains no such requirement.
While the ACPA provides for statutory damages of up to $100,000 per infringement, S. 2661 would provide damages of up to $6 million for the same offense. Notwithstanding the bill’s labeling as an anti-phishing measure, these lawsuits could be brought without any requirement of supporting evidence that the domain name was in any way associated with criminal phishing activity.

Section C
Private WHOIS is likened to an unlisted phone number for domain owners. Section C criminalizes all private WHOIS registrations.
Many small businesses operate from home offices and would prefer not to give a home address when registering a domain name. Providing a home or business address can lead to unwanted visitors to your home or office and WHOIS registration data is constantly mined by email spammers, phone solicitors, junk fax and junk mail list providers.
Unfortunately the simple ownership of one domain name you can open the door to an endless supply of unsolicited contact from anywhere on the planet. Unlike our Do Not Call lists once your email,phone or address is in cyberspace it cannot ever be removed.

Additionally, ICANN has spent hundreds of hours researching and working on potential solutions to the WHOIS privacy dilemma and this legislation would ignore ICANN’s efforts and work in this area.

Understanding Phishing
Phishing is a problem but this bill will do little to stop the practice.

Consider the following facts:

67% of Phishing attacks are from outside the US and many are run by organized crime rings located outside the US

Phishing attacks usually last 4 hours or less before the site is shut down or removed.

Over 90% of Phishing attacks are related to the financial services industry.

Phishing attacks are now more complicated and many now rely on practices like silently changing DNS servers on compromised user computers rather than hoping they find a misspelled bank domain name.

Many Phishing attacks take place on compromised machines. In this case the domain name is the actual bank or financial service domain name. The bank’s server has been “hacked” and had proper login screens replaced by Phishing login screens.

Phishing attacks use junk domain names and typically place infringing names as subdomains to trick users.

Phishing attacks are commonly done via email and use a fake hyperlink to trick the user. In most cases the visible link may show a legitimate domain name yet the actual link will most likely use famous mark in the subdomain but use a junk domain name.

Below is a real world example of a Phishing attempt that I received via email:
The email shows the link http://wc.wachovia.com/online
but the actual link is http:://wc.wachovia.ibsIDcmopserver.cmserver.access.default.servletDOLOGIN.verify.cfm.fdgd2.com

Note: The domain name used for this attempt is fdgd2.com which is a throw away domain name while the bank name is used early in the URL as a subdomain name to fool the user.

See stats and learn more at http://www.antiphishing.org/

Damage to Small Businesses
The Findings section of S. 2661 states that “78% of small businesses polled stated a less reliable Internet would damage their business”. Since the Internet is certainly critical to small businesses secure domain name ownership is crucial to small businesses. Ironically S. 2661 would likely hurt small businesses due to Section B, than any presumed consumer fear of Phishing scams.
If small business owners and domain investors are afraid to invest in their web sites, due to constant concerns about legal action via Section B, then small businesses will not be able to invest time and money into development and promotion of their domain names. The Internet is important to help sustain and grow small US businesses in a hyper-competitive global economy. S. 2661 would hurt the US small business owner and thus hurt the US economy.

Losing Business to Foreign Competitors
Due to concerns about S. 2661 many US and non-US residents are contemplating or already taking action to move web hosting, domain registration and many other Internet services away from US based providers. Domain registration, hosting and other services are offered by many companies in many countries and these companies will gladly take revenue from small US based businesses offering domain registration, web hosting and related services.

Summary
Phishing is a growing problem but it will not be solved or even slowed down by S. 2661.

The main impact S. 2661 would have is to allow bigger businesses to potentially take away domain names from small businesses, churches, political groups and individuals that rightfully own domain names and have absolutely no connection to Phishing or Phishing attempts.

If you want to voice an opinion
http://www.thepetitionsite.com/1/snowe-bill-threatens-domain-name-registrants-and-internet-commerce

Contact the ICA
http://www.internetcommerce.org/Snowe_Bill_Threatens_Domain_Name_Registrants

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.